Over 800 million records associated with WordPress users were exposed by a misconfigured cloud database before the owner was informed, reports Website Planet.
In a post on Website Planet, a website for web developers, cybersecurity researcher Jeremiah Fowler revealed that a database owned by US-based web host DreamHost is exposed and publicly accessible.
Fowler, together with WebPlanet’s team, found the unsecured database on April 16. The unsecured database seems to contain three years’ worth of records, between March 24, 2018, and April 16, 2021.
Nearly One Billion Records Exposed by One of The Most Popular Web Hosting Platforms – See our full report here: https://t.co/Oo8ZiRy638— Website Planet (@website_planet) June 24, 2021
It contained information about DreamHost customers as well as WordPress accounts that were hosted on DreamHost’s servers.
Fowler claimed some leaked information was tied to users with email addresses ending in .gov and .edu. After receiving Fowler’s notice of responsible disclosure, DreamHost secured the database within hours.
DreamHost’s legal team was notified of the discovery on May 4, and a representative acknowledged that it was being passed along to them. It was, however, unclear how long it had been exposed, making it potentially vulnerable to phishing attacks.
An exposed database can reveal information about the configuration, applications, operating systems, software, and build, which could uncover vulnerabilities if they were not patched or outdated. A cybercriminal can collect and use data in complex ways.